Executive Summary
This document outlines a malspam attack targeting businesses through fraudulent emails that exploit Remote Monitoring & Management (RMM) tools. The attackers deceive recipients into clicking a malicious link disguised as an invoice, which installs an RMM tool on their system. Since these tools are legitimate applications, they evade antivirus detection, granting attackers full remote access.
Once access is gained, the attackers escalate their control by installing additional RMM tools for persistence, spreading malware via email, and modifying system settings. Critically, they exploit the compromised workstation—often belonging to accountants or financial officers—to capture smart card PINs and execute fraudulent wire transfers, resulting in significant financial losses.
This document provides a detailed breakdown of the modus operandi, risks, and recommended preventative measures to mitigate the threat posed by such attacks.
Significance for Luxembourg
Over the past few weeks, we have received multiple reports from organizations and individuals regarding suspicious inquiries from their banks, such as:
- “Do you really want to execute 10 transactions totaling approximately 30,000 EUR abroad?”
- “Do you really want to execute a transaction of 1,000,000 EUR abroad?”
These transactions are real and executed by attackers who have gained access to the victim’s banking system by installing legitimate Remote Monitoring and Management (RMM) tools.
The initial infection occurs through phishing and spear-phishing attacks, as detailed below.
Modus Operandi
- The attacker sends a fraudulent business email containing a fake invoice as an attachment.
- The attachment is actually a link that downloads a Remote Monitoring & Management (RMM) tool.
- If the victim clicks the link, the RMM tool is installed on their system.
- Antivirus software does not detect the RMM tool as malicious since these are legitimate applications.
- The RMM tool grants the attacker full remote access to the victim’s computer, allowing them to capture the multiline smart card PIN.
- The attacker then:
- Installs multiple other legitimate RMM tools for persistence.
- Sends infected emails to contacts in the victim’s address book.
- Analyzes the compromised system.
- Modifies system configurations to achieve their objectives.
- Executes fraudulent financial transactions.
Recent Examples (French)
Objet : Recouvrement de facture impayée – Facture no FACT#062024 et FACT#072024 datée du 15/06/2024
Monsieur, Madame,
La présente communication concerne la facture no FACT#032024 et FACT#042024 au montant total de 32.857€ qui Recouvrement de facture impayée – Facture no FACT#062024 et FACT#072024 datée du 15/06/2024. Vous trouverez en annexe une copie de la facture pertinente.
Comme vous le savez, nous vous avons fourni le delai de recouvrement du dossier R1184521. Or, malgré le rappel effectué le 15/06/2024 à laquelle une lettre de relance a été envoyée, nous constatons que la facture demeure impayée, et ce, bien que nous ayons rempli toutes nos obligations.
Ainsi, nous vous prions de nous faire parvenir un chèque certifié au montant de 32.857€ à l’ordre de notre entreprise dans les 10 jours de la réception de la présente mise en demeure. Le chèque devra être transmis au notre adresse. À défaut, une demande en justice pourrait être déposée contre vous, sans autre avis ni délai.
Soyez avisé que nous considérerons de bonne foi tout mode alternatif de règlement proposé. Nous sommes d’avis qu’il est dans l’intérêt de tous que cette situation puisse être réglée à l’amiable. En ce sens, nous vous invitons à communiquer avec nous si vous désirez discuter de la présente mise en demeure.
Nous vous invitons à ignorer la présente lettre si le paiement a été effectué avant la date de réception de cette communication.
VEUILLEZ AGIR EN CONSÉQUENCE.
Prevention Strategies
Preventing such malspam attacks (malicious spam containing hyperlinks to download malware) in a corporate environment requires a multi-layered security approach. Below are effective prevention strategies:
1. Email Security Measures
- Advanced Email Filtering – Use secure email gateways and spam filters to detect and block malspam emails before they reach inboxes.
- Disable Auto-Download of Attachments – Prevent email clients from automatically downloading linked files.
- Link Sandboxing & URL Analysis – Implement email security solutions that scan and analyze hyperlinks in real-time before users click them.
- CIRCL proposes a free online service for scanning email attachments: pandora
2. User Awareness & Training
- Security Awareness Campaigns – Educate employees on not clicking unknown or unexpected links, even from seemingly trusted sources.
- Hover Over Links Before Clicking – Teach employees to hover over hyperlinks to preview URLs before clicking.
- Phishing Simulation Training – Conduct regular phishing tests to train employees on recognizing suspicious links.
- CIRCL proposes a free online service for investigating urls: lookyloo
3. Endpoint Protection & Network Security
- URL Blocking & Web Filtering – Use web proxies and security tools to block known malicious domains.
- Application Whitelisting – Restrict the execution of unapproved applications to prevent malware from running.
- Endpoint Protection Software – Deploy next-gen antivirus (NGAV) and Endpoint Detection & Response (EDR) to identify and block malware from executing.
4. Email Authentication & Domain Protection
- Implement DMARC, DKIM, and SPF – These email authentication protocols help prevent email spoofing and domain impersonation.
- Brand Protection & Domain Monitoring – Monitor for domain spoofing attempts and register similar domains to prevent phishing.
- Correct DNS configuration - see TR-92
5. Access Control & Least Privilege Principle
- Restrict User Privileges – Users should not have admin rights unless absolutely necessary.
- Additional Authentication – Enforce authentication and verification for accessing external links or downloading software.
- Disable Macros & Auto-Execution of Scripts – Prevent execution of malicious scripts embedded in documents.
6. General: Secure Software & Patch Management
- Regular Software & OS Updates – Ensure all systems, browsers, and email clients are patched to prevent exploitation.
- Disable Unnecessary Browser Plugins – Reduce attack surface by removing unneeded browser extensions.
7. Incident Response & Monitoring
- SIEM (Security Information and Event Management) – Implement real-time monitoring to detect unusual email traffic patterns.
- Incident Response Plan – Have a response team and strategy ready if employees fall victim to malspam, including isolating infected devices and removing malware.
Actions during a Compromise
- Disconnect the affected PC from the network immediatly (Don’t forget WiFi).
- Talk to your local incident response team.
- If this doesn’t exist, do not hesitate to contact CIRCL to discuss the case and be prepared to receive an action plan.
- Inform your IT team to increase monitoring and the vigilance level.
- Investigate for potential other PC affected.
- Warn all you contacts, clients, customers and alike to not click on links in emails send by your organization.
- Teach all your staff about the issue and make them vigilant
- There are legal obligations in case of compromised infrastructure, e.g. to inform CNPD within 72 hours and any victims of a data breach. CIRCL will give you recommendations if necessary.
Mitigation Strategies
Ineffective Solutions from ICT Providers: What Does NOT Fix the Problem
Some service providers attempt to mitigate the issue by running multiple antivirus scans on the infected system. If no further malware is detected, they conclude that the system is clean.
However, this approach is ineffective because:
- Attackers install legitimate RMM tools that antivirus software does not flag.
- It is nearly impossible to detect all backdoors left by the attackers.
- If this approach is followed, attackers will regain access quickly and continue fraudulent activity.
Effective Mitigation Steps
- Implement an Endpoint Detection and Response (EDR) solution and enforce an allowlist for RMM tools used within the organization.
- Use LuxTrust Mobile or LuxTrust Scan instead of a smart card to authenticate (see luxtrust documentation).
- Remove the multiline smart card from the reader when not in use.
- Use 4-eyes principles for wire transfers.
- Enable additional authentication factors for multiline banking (e.g., phone-based authentication).
- Select a bank thank actually checks wire transfer recipients.
Remediation After a Compromise
If an organization falls victim to this attack, the following actions must be taken:
- Contact immediately the bank of your organisation and the destination bank to block the fraudulent wire transfer.
- File a complaint with the local police or the “service de police judiciaire”.
- Contact CIRCL if you need technical support or advice related to IT security incidents.
- Reinstall the compromised system from scratch.
- Monitor Remote Desktop access. Attackers may exploit existing RDP access to escalate privileges or move laterally within a network. Evidence of such activity can often be found in Event Logs.
- In severe cases, all systems within the organization may need to be reinstalled.
- Revoke and reissue all banking certificates.
- Reset all passwords.
- Implement Two-Factor Authentication (2FA) wherever possible.
- Educate employees on cybersecurity best practices to prevent future incidents.
Conclusion
A simple virus scan does not resolve this issue. To fully mitigate the attack, the affected system must be completely reinstalled.
Organizations should closely monitor their ICT service providers to ensure proper remediation is performed.
IoC
See MISP event uuid 5f7819de-5656-4063-a76a-a39253ee5154, available on MISP for the private sector.
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version - 26th February 2025